I’m a Houston-based independent analyst, marketing consultant and writer. I follow news and trends across all facets of technology, and help people understand what those trends mean to them and why they should care. I’ve been a CISSP for 13 years, and I’ve been recognized by Microsoft as an MVP for 9 consecutive years. When I’m not working with technology, I’m a husband and father who loves mountains, oceans, football and golf. You can contact me directly at tony@techspective.net. For more from me, you can follow me on Twitter, subscribe to me on Facebook or add me to your Circles on Google+.

The Business World Owes A Lot To Microsoft Trustworthy Computing

Microsoft published a story today called “Life in the Digital Crosshairs”, which details the origins and evolution of the Security Development Lifecycle (SDL). Reflecting on that history, I can’t help but look at the broader context of what Microsoft has accomplished—the success of the SDL and Microsoft Trustworthy Computing echoes far beyond the Microsoft campus.

It may not seem like it at times, but the world of computers and technology is much more secure today than it was a decade ago. We’ve come a long way from the “Wild West” era of malware—thanks in large part to the ongoing efforts of Microsoft Trustworthy Computing.

I know from firsthand experience because I was fighting in the trenches on the front line when massive malware attacks like Code Red, Nimda, and SQL Slammer crippled networks and brought the Internet to its knees. I also experienced the unique “joy” of scrambling to deploy critical patches with no notice whatsoever.

I spent some time in Redmond recently, and had a chance to interview a number of the key members of Microsoft Trustworthy Computing. Our PCs and devices may not be completely invulnerable today, and they never will be, but Microsoft’s efforts to develop a culture of security for its products has had a ripple effect that extends beyond the Windows operating system, and beyond Microsoft itself, to bring lasting improvements for all technologies.

The story isn’t just about Microsoft, though. For any business, staying competitive today starts with evolving security. Microsoft has gone the distance for computer security, and other companies can learn some valuable lessons and should follow Microsoft’s lead.

The Bill Gates Memo

Bill Gates fired the computer security equivalent of the “shot heard ‘round the world” on Tuesday, January 15, 2002. That was the day Gates distributed the now-infamous Memo.

In the wake of Code Red and Nimda—two massive malware attacks that targeted Microsoft software—and a Gartner report warning customers to “Run, don’t walk, away from IIS”, Gates took a hard look at Microsoft software development practices, and declared that security needed to be a top priority rather than an afterthought.

Gates talked about the expectation businesses and consumers had for reliable electricity, water, and telephone service, and said that computers needed to strive to achieve that same level of dependability. He said that computing was far short of that goal, and noted, “Our products should emphasize security right out of the box, and we must constantly refine and improve that security as threats evolve.”

Trustworthy Computing Is Born

As it happens, security wasn’t a new or foreign concept to everyone at Microsoft. Michael Howard and David LeBlanc had given the concept of developing more secure software significant thought, and authored a book titled “Writing Secure Code”, which Gates mentioned in his memo, and which became a blueprint of sorts for the overhaul Microsoft would undergo.

Following the Gates memo, Steve Lipner, Glenn Pittaway, Michael Howard, and the rest of the small team tasked with security got together for a meeting at an off-campus site and talked about what to do next. The group made the monumental decision to halt production of Windows Server 2003, conduct bootcamp-style training of nearly 10,000 developers, and tear the code down to its core to make sure it was developed with secure coding principles in mind.

After revamping of Windows Server 2003 for security, Steve Lipner and team moved on to tackle security overhauls of other products within Microsoft. In 2002 and early 2003, though, the threats continued to escalate—culminating in the SQL Slammer worm that literally crippled the Internet on a global level.

Steve told me that it was at that point he determined that Microsoft needed to go through a similar security overhaul of everything—not just new software, but also go back and dredge existing products to make them more secure. Steve explained, “I don’t think at that time we had any idea, sort of, what that trend line would look like over ten years, but we knew that security was a business that we’d have to be in forever.”

Lipner approached Craig Mundie and Scott Charney about establishing an ongoing secure coding program. “We took the process documentation we had from the security pushes, and the techniques that we had, and we started to build them into a specific set of requirements.”

Those requirements were presented to senior executives, including Bill Gates and Steve Ballmer. Ballmer gave his blessing that this was the way things would be done from now on, and those requirements were refined to become the initial version of the SDL. It was distributed throughout Microsoft, and established as mandatory practice for development teams.

Post Your Comment

Post Your Reply

Forbes writers have the ability to call out member comments they find particularly interesting. Called-out comments are highlighted across the Forbes network. You'll be notified if your comment is called out.

Comments

12 years of “Trustworthy Computing” and you’re still giving them a free score for trying but failing. Why is that? Is securing our technology something where everyone who claims “I tried” gets a ribbon and a tiny plastic trophy cup?

It is called “Trustworthy Computing” not “Invulnerable Computing”. As I stated in the article, and as the Microsoft execs I spoke to openly acknowledged–there is not now and never will be software that can not be hacked or exploited. It’s about risk management, and raising the bar so attackers have to invest more effort.

If you think what we have now is “failing”, you should try to imagine what the world of computing might look like without the SDL and the efforts of Microsoft Trustworthy Computing.

everything was great for me until windows 8 I hate windows 8 but it came with the new computer I loved my old computer everything worked great now I don’t even enjoy going on the computer.this is for the younger generation not the elderly we don’t need all those apps